Privacy Policy — Daily Affirm: Widget & Quotes
1. Who We Are
Daily Affirm: Widget & Quotes ("the App," "we," "us," or "our") is operated by Roman Samoilenko, a Ukrainian sole proprietor (FOP) trading as TidyBit ("Developer"). Roman Samoilenko is the data controller for personal data processed under this policy. If you have questions about this policy or wish to exercise your privacy rights, contact us at:
Email: tidybitapps@gmail.com
Privacy request form: daily-affirm-widget.web.app/privacy-request.html
2. Scope
This policy applies to the Daily Affirm iOS and Android applications and describes how we collect, use, and protect information when you use the App. It does not cover third-party websites or services that we link to.
3. Information We Collect
3.1 Information Collected Automatically via Firebase Analytics
When you use the App, Firebase Analytics (a Google service) automatically collects:
- App instance identifier — a randomly generated, resettable identifier unique to your app installation (not linked to your Apple ID, Google Account, or any other account).
- Device information — device model, operating system version, language, and time zone.
- General location — country or region derived from your IP address. Precise GPS location is never collected.
- App usage events — interactions such as screens viewed, affirmation categories browsed, themes selected, notifications enabled or disabled, widget interactions, and similar in-app actions (30+ event types). These events are collected to understand how the App is used and to improve it; they are not used to build an advertising profile.
Firebase Analytics data is processed by Google in accordance with Google's privacy policy. Google may aggregate and anonymize this data for its own analytical purposes.
3.2 Crash and Diagnostics Data (Firebase Crashlytics)
If the App crashes or encounters an error, Firebase Crashlytics automatically collects a crash report containing:
- A stack trace and error message describing the crash.
- Device model and OS version at the time of the crash.
- App version number.
Crash reports do not contain your name, email address, location, or any content you have interacted with.
3.3 Advertising Identifiers (AdMob — Free Tier Only)
This section applies only if you are using the free tier of the App and advertising is active. If you have unlocked the premium tier, banner ads are removed and AdMob is not used.
Daily Affirm's free tier displays banner ads served by Google AdMob. To serve and measure these ads, AdMob may collect:
- iOS: Your Advertising Identifier (IDFA), if you have granted permission via Apple's App Tracking Transparency (ATT) prompt. If you deny permission, only non-personalized ads are served.
- Android: Your Google Advertising ID (Ad ID), subject to your consent choice presented via the Google User Messaging Platform (UMP) consent dialog on first launch.
- IP address (used for general geo-targeting, e.g., country-level).
- Ad interaction data (impressions, taps).
AdMob ad data is processed by Google in accordance with Google's privacy policy.
If ad serving is not active in the version of the App you have installed (for example, if ads have not yet launched in your region or on your platform), none of the AdMob data above is collected.
3.4 In-App Purchase Transactions
If you make an in-app purchase, the transaction is processed entirely by the platform store (Apple App Store or Google Play Store). We do not see or store your payment card number, billing address, or any payment credential.
We receive from the platform:
- Transaction status (success/fail/restored).
- Product identifier purchased (one of three non-consumable SKUs).
- Transaction ID (platform-issued).
This information is used solely to unlock the premium tier locally on your device. The transaction ID and product identifier are not transmitted to any server we operate, with the single Android-only exception described immediately below.
Android only — Play Integrity verification. On Android, before each in-app purchase, the App requests a Play Integrity verdict from Google Play Services and forwards the resulting attestation token, together with the product identifier you are attempting to purchase, to a Firebase Cloud Function we operate. The Cloud Function validates the token with Google's Play Integrity API and returns a pass/fail decision to your device. The token itself contains your app-licensing status (whether your Google account owns the App) and a device-integrity verdict (whether your device is recognized as a genuine Android device). We do not store the token or its contents beyond the in-process verification, but Google Cloud Logging records the HTTP request metadata (including the originating IP address) for up to 30 days as standard operational logging (see §7). On iOS, this flow does not apply — purchase receipts are verified locally via Apple's StoreKit 2 JWS signatures, with no developer-side server involvement.
3.5 Information You Provide — Favorites
Affirmations you mark as favorites are stored locally on your device only. They are never uploaded to any server or cloud service, and they are not accessible to us. Uninstalling the App permanently deletes your favorites.
3.6 Notifications
If you enable daily affirmation notifications, the scheduling is handled entirely on your device. No push token or device registration is sent to any server we operate.
3.7 Information We Do NOT Collect Within the App
Within the App itself, we do not collect:
- Name, email address, phone number, or any contact information.
- Passwords or authentication credentials.
- Photos, audio, or files from your device.
- Precise GPS location.
- Health or fitness data.
- Calendar or contacts data.
- Any information typed or pasted into the App.
Information you voluntarily provide by email or via our privacy-request form is described separately in §3.8.
3.8 Information You Voluntarily Provide When Contacting Us
If you email us at tidybitapps@gmail.com or submit our online privacy-request form at daily-affirm-widget.web.app/privacy-request.html, the following information is collected outside the App and processed by us:
- Information you enter into the form or email — your name or pseudonym (optional), email address (required so we can respond), state or region of residence, app platform, approximate install date, the type of right you wish to exercise, and the description of your request.
- Technical metadata captured when you submit the form — a salted, one-way hash of your IP address (used solely to rate-limit submissions and prevent abuse), your browser's user-agent string (truncated, retained for abuse review), and the submission timestamp.
The form is served from our Firebase-hosted website (daily-affirm-widget.web.app); submissions are sent to a Firebase Cloud Function we operate, which validates the input and stores the submission in a private Cloud Firestore database. The Firestore database is not publicly readable — only Roman Samoilenko (the data controller) can access submissions via the Firebase console. Hosting, Cloud Functions, and Cloud Firestore are provided by Google LLC in the United States (region: us-central1).
We use this information solely to verify and respond to your privacy request and to maintain a record of our compliance with applicable privacy laws (including the 24-month consumer-request recordkeeping requirement under 11 CCR § 7101 and the response-time documentation obligations under GDPR Art. 12). We retain this information for no longer than 24 months after the request is fulfilled, after which it is deleted. We do not use it for marketing, profiling, advertising, or any unrelated purpose, and we do not sell or share it.
Google LLC (Firebase Hosting, Cloud Functions, Cloud Firestore) acts as our data processor for the privacy-request form; see §6 and §11.
4. No User Accounts
Daily Affirm does not offer user accounts, sign-in, or registration. All preferences, favorites, and purchase entitlements are stored locally on your device.
5. How We Use Information
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Understand how the App is used and improve it | Firebase Analytics events | Inside EEA / UK: Consent (Art. 6(1)(a)) — defaults are denied; collected only after the in-app UMP consent dialog grants analytics_storage via Google Consent Mode v2. Outside EEA / UK: Legitimate interest (Art. 6(1)(f)). |
| Diagnose and fix crashes | Crashlytics crash reports | Inside EEA / UK: Consent (Art. 6(1)(a)) — Crashlytics is disabled at install time and only enabled after the same UMP grant flow. Outside EEA / UK: Legitimate interest (Art. 6(1)(f)). |
| Serve and measure banner ads (free tier, when active) | AdMob identifiers | Consent (Art. 6(1)(a)) — collected only after ATT / UMP consent |
| Fulfill your in-app purchase | Transaction status from platform store | Performance of contract (Art. 6(1)(b)) |
We do not sell your personal information. We do not use your data for automated decision-making or profiling.
6. Third-Party Services and Data Processors
| Service | Provider | Purpose | Privacy policy |
|---|---|---|---|
| Firebase Analytics | Google LLC | App usage analytics | policies.google.com/privacy |
| Firebase Crashlytics | Google LLC | Crash reporting | policies.google.com/privacy |
| Google AdMob | Google LLC | Banner advertising (free tier, when active) | policies.google.com/privacy |
| Firebase Cloud Functions | Google LLC | Pre-IAP integrity verification (Android only, §3.4) | policies.google.com/privacy |
| Firebase App Check | Google LLC | Anti-abuse attestation for the Cloud Function (Android only) | policies.google.com/privacy |
| Google Cloud Logging | Google LLC | Operational logging of Cloud Function HTTP requests — IP, timestamp, status (Android only, §3.4 / §7) | cloud.google.com/terms/data-processing-addendum |
| Google Play Integrity API | Google LLC | Device-integrity attestation for Android IAP (token contents described in §3.4) | policies.google.com/privacy |
| Apple App Store | Apple Inc. | In-app purchase processing (iOS) | apple.com/legal/privacy |
| Google Play Store | Google LLC | In-app purchase processing (Android) | policies.google.com/privacy |
| Firebase Hosting | Google LLC | Hosting of the privacy-request form web page (§3.8) | policies.google.com/privacy |
| Cloud Firestore | Google LLC | Storage of privacy-request submissions (§3.8) | policies.google.com/privacy |
App content (affirmations, themes, strings) is bundled with the App and served entirely offline. The only network endpoints the App contacts that are operated by us are the Firebase Cloud Function described in §3.4 (Android only) and the Firebase-hosted privacy-request form described in §3.8 (web only, opt-in).
7. Data Retention and Deletion
- Firebase Analytics: Event-level data retention set to 2 months in the Firebase console. Aggregated, anonymized reports may be retained longer.
- Firebase Crashlytics: Crash reports retained for 90 days per Google's standard Crashlytics retention policy.
- AdMob: Ad interaction data retained for 13 months, per Google's data retention policy.
- Cloud Functions logs (Android IAP verification, §3.4): IP address and HTTP request metadata are retained for up to 30 days in Google Cloud Logging at the default
_Defaultlog-bucket retention tier. - IAP entitlements: Stored locally on your device for the lifetime of the App installation. Deleted when you uninstall the App.
- Favorites: Stored locally; deleted on uninstall.
To delete your Firebase analytics data: You can reset your advertising identifier or app instance ID in your device settings, which unlinks future data from past data. On iOS: Settings → Privacy & Security → Tracking (for IDFA) or reset via the "Reset advertising identifier" option. On Android: Settings → Google → Ads → Reset advertising ID.
8. Your Rights
GDPR (European Economic Area and UK residents)
If you are located in the EEA or UK, you have the right to:
- Access — request a copy of personal data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion of your personal data ("right to be forgotten").
- Restriction — request that we limit processing of your data.
- Portability — receive your data in a portable format.
- Object — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent (e.g., personalized ads), withdraw at any time via the in-app consent settings or your device's advertising settings.
Because we do not operate a user account system, the personal data we directly hold is limited to (a) Cloud Functions request logs for Android in-app-purchase verification (IP address and HTTP request metadata, retained 30 days — see §3.4 and §7) and (b) information you voluntarily provide via email or our privacy-request form (§3.8). All other personal data is held by our third-party processors (Firebase / Google). To exercise these rights against Google-held data, contact Google directly or use your device settings; for data we directly hold, contact tidybitapps@gmail.com.
You also have the right to lodge a complaint with your local data protection authority.
CCPA / CPRA (California residents)
California residents have the right to:
- Know what personal information is collected about them.
- Know whether personal information is sold or disclosed, and to whom.
- Opt out of the sale of personal information.
- Request deletion of personal information.
- Non-discrimination for exercising these rights.
We do not sell personal information. Because we do not operate a user account system, we do not maintain a database of identified users. The personal data we directly hold is limited to Cloud Functions request logs for Android in-app-purchase verification (30 days, see §3.4 and §7) and information you voluntarily provide via email or our privacy-request form (§3.8). All other data is held by Google (Firebase, AdMob). To submit a deletion or access request, you may either:
- Email us at tidybitapps@gmail.com, or
- Submit our online privacy-request form at daily-affirm-widget.web.app/privacy-request.html.
We provide these two methods to meet the California Consumer Privacy Act (§1798.130(a)(1)(B)) requirement that businesses designate at least two methods for consumer rights requests.
Other U.S. State Privacy Laws
If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), Texas (TDPSA), Montana (MCDPA), Oregon (OCPA), Tennessee (TIPA), Florida (FDBR), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Indiana (INCDPA), Kentucky (KCDPA), Rhode Island (RIDTPPA), Maryland (MODPA), Minnesota (MCDPA), or Nebraska (NDPA), you have rights substantially similar to those described above for California — to know and access the personal data we hold about you, to correct inaccuracies, to request deletion, and (where applicable) to opt out of targeted advertising, sale of personal data, or profiling that has significant effects.
Maryland (MODPA) additionally imposes a strict data-minimization standard: we collect only personal data that is reasonably necessary and proportionate to provide the App's functionality. We do not sell sensitive personal data of Maryland consumers, including any data that would qualify as sensitive under MODPA's heightened standard.
Appeal rights (VA / CO / CT / TX / OR / DE / NJ / IN / KY / RI / MD / MN / NE). If we decline to act on your rights request, you may appeal our decision within a reasonable time of receiving it. To appeal, email tidybitapps@gmail.com with the subject line "Privacy Request Appeal" and a brief explanation of why you believe the original decision should be reconsidered. We will respond to your appeal in writing within 60 days. If your appeal is denied, you may contact your state Attorney General to submit a complaint.
To exercise any of the rights described in this section, use either of the two methods listed above (email or the online privacy-request form).
9. Children's Privacy (COPPA)
Daily Affirm is a general-audience application not directed at children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child under 13 has provided personal information through the App, please contact us at tidybitapps@gmail.com and we will take prompt steps to delete that information from our processors.
If we learn that we have collected personal information from a child under 13 without parental consent, we will delete that information as quickly as possible.
10. Data Security
We take reasonable technical and organizational measures to protect information from unauthorized access, alteration, disclosure, or destruction. Because favorites, preferences, and purchase entitlements are stored locally on your device, they are protected by your device's own security measures (passcode, Face ID / fingerprint). Analytics and crash data transmitted to Firebase is sent over HTTPS.
No method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.
11. International Data Transfers
The data processors named in §6 are all based in the United States:
- Google LLC (Firebase Analytics, Crashlytics, AdMob) — participates in the EU-U.S. Data Privacy Framework and uses standard contractual clauses to ensure adequate protection for transfers from the EEA/UK. See policies.google.com/privacy/frameworks.
- Apple Inc. (in-app purchase processing on iOS) — Apple's published privacy commitments and international transfer mechanisms apply to platform-mediated purchase data. See apple.com/legal/privacy.
If you use the App from outside the United States, or if you contact us from outside the United States via email or the privacy-request form, your data may be transferred to and processed in the United States or other countries where these providers operate data centers.
12. Platform-Specific Disclosures
The tables in this section describe data collected by the App itself. Information you voluntarily provide by email or via our online privacy-request form (§3.8) is not in-app collection and is not represented in these tables.
Apple App Privacy (App Store)
For the purposes of Apple's App Privacy nutrition label:
| Data type | Collected? | Linked to identity? | Used for tracking? |
|---|---|---|---|
| Identifiers (device/app instance ID) | Yes — Firebase Analytics app instance ID | No | No |
| Usage data (app interactions) | Yes — Firebase Analytics events | No | No |
| Diagnostics (crash logs) | Yes — Crashlytics | No | No |
| Advertising data (IDFA, ad interactions) | Yes — AdMob, free tier only, when active, with ATT consent | No | Yes (ad serving only) |
| Location (precise) | No | — | — |
| Contact info, health, financial, photos, messages | No | — | — |
"Linked to identity" means linked to your name, email, or Apple ID — none of the above data is linked to your identity because we have no account system.
Google Play Data Safety
| Data category | Collected? | Shared with third parties? | Purpose |
|---|---|---|---|
| Device or other IDs | Yes — Firebase app instance ID; Ad ID (free tier, when active) | Yes — Google (Firebase, AdMob) | Analytics; ad serving |
| Device or other IDs (Play Integrity verdict via developer Cloud Function, Android only, pre-IAP) | Yes — appLicensingVerdict, deviceRecognitionVerdict, request hash + IP address (server-log only) | Yes — Google (Play Integrity API); also processed by a Firebase Cloud Function we operate (see §3.4) | Anti-fraud / purchase verification |
| App interactions | Yes — Firebase Analytics events | Yes — Google (Firebase) | Analytics |
| Crash logs | Yes — Crashlytics | Yes — Google (Firebase) | Crash diagnostics |
| Advertising data | Yes — AdMob, free tier only, when active | Yes — Google (AdMob) | Ad serving and measurement |
| Personal info (name, email, address) | No | — | — |
| Financial info | No | — | — |
| Location (precise or coarse) | No | — | — |
| Photos, audio, files, health, contacts, messages | No | — | — |
Data collection is required for core app analytics functionality. Data is encrypted in transit. Users can request deletion by resetting their device advertising identifier.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. If the changes are material, we will provide a prominent notice within the App or via the App Store / Play Store listing update notes. Your continued use of the App after any changes constitutes acceptance of the updated policy.
We encourage you to review this policy periodically.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:
Trader / Data Controller
Roman Samoilenko (Ukrainian sole proprietor — FOP)
Email: tidybitapps@gmail.com
Privacy request form: daily-affirm-widget.web.app/privacy-request.html
The geographic trader address and telephone number required under EU DSA Art. 30(5) are published in the "Developer Contact" section of our App Store and Google Play product pages.